- How MFA works
- Onboarding for End Users – with an Authenticator Application
- Onboarding for End Users – with a Token2 programmable token
- Onboarding for End Users – with YubiKey
- Enable MFA gradually for users, groups or OU’s
This restriction requires a user to authenticate with an additional (second) factor. UserLock supports MFA through authenticator applications using time-based-one-time-passwords (TOTP). Examples include Google Authenticator and LastPass Authenticator. TOTP are widely accepted and are more secure than other options such as SMS text based authentication.
UserLock MFA can be enabled for any user, group or OU in your Domain for all logon, unlock and reconnections to interactive sessions.. Choose granular settings to define your MFA policy by the type of operating system (Workstation or Server), the connection type (Local or Remote), and the frequency with which MFA is asked (at every connection, every N days.) There is also an option to help with the onboarding process to allow users to skip the MFA configuration for a defined number of days.
MFA messages displayed to the end user are customizable and you can enable an "Ask for help" button on the displayed dialogs to allow the end user to send e-mail (and consequently, applications compatible with e-mail such as Slack) and / or popup help requests to UserLock administrators responsible for implementing MFA.
In case an end user can’t log on, one-click admin actions are available in the UserLock console to temporarily disable MFA or to reset MFA key for a specific user.
In addition, ad-hoc reports allow you to see the evolution over time of the use of MFA in your environment: logon for which MFA was used, suspicious logons for which MFA has been canceled, skip reasons…
An MFA dashboard has been added in the UserLock Console to as a central place for all of these new features.
A use case page about UserLock MFA is available here.
How MFA works
When the user registers a TOTP-supporting device, a unique shared key is created. Both the device and the server can generate a time-based one-time password by processing that key along with the current time. By convention, each TOTP is good for 30 seconds. A user will log in using their regular password, then enter the current one-time password from their device.
- UserLock service version 10.0 and higher
- Windows Vista and higher or Windows Server 2008 and higher
- Only compatible with Desktop agents version 10.0 and higher
- Available for Interactive sessions only
- An authentication application must be installed on the end user smartphone
- Automatic time settings on the UserLock server and end-user smartphones. If the time is set manually, passcodes generated by the UserLock server and end-user smartphones can be out of sync and result in login errors.
Onboarding for End Users – with an Authenticator Application
UserLock has built in functionalities to help ease the onboarding and education process for users to set up MFA on their smartphones.
We recommend that you create a user-oriented document that you will send to all users affected by MFA. You will find a sample document of this type here.
To help your organization or users choose an application, here are the most widely used:
- Google Authenticator
- Microsoft Authenticator
- LastPass Authenticator
- This is the most secure, because even if the phone is not locked, the app will automatically lock and you must provide credentials to unlock it to get the MFA code.
- 2FA Authenticator
Regardless of the application you choose, make sure that the date and time of the End Users' smartphones are correct (it is recommended to set the date and time automatically), otherwise the codes generated by the application cannot be validated.
For a user's first MFA connection, this user may require assistance with the configuration.
Once MFA is enabled for a user account, at their next connection, a dialog box with a QR code will be displayed:
- The text just under “Multi-Factor Authentication” is customizable in the Settings tab.
- Other texts will be displayed according to the language of the OS of the computer currently logged on (English which is the default language, French or Spanish).
- The "Skip (N days left)" button is optional. It is disabled by default. You can enable it in the configuration of the protected accounts related to this user.
- The "Ask for help" button is optional. It is disabled by default. You can enable it in the MFA dashboard, “Settings” tab.
When this dialog box appears, the user will need to open the Authenticator application on their smartphone, then scan the barcode. For example with Google Authenticator:
In the « Add an account » step, choose « Scan a bar code » (or « Enter a provided key” if you prefer):
The MFA code is now displayed:
Fill the MFA code in the field in the dialog box, then click “Verify and Continue”.
It is recommended to inform users of the circumstances for when MFA will be asked for. (For example at every logon, at the first logon of the day, etc…)
Once correctly configured, the user will be prompted with the following dialog box for all connections that require MFA.
The user will be able to retrieve the code from the Authenticator application.
Onboarding for End Users – with a Token2 programmable token
Users will need a Token2 programmable token (non-branded version or branded version).
To enroll in MFA (subsequent logins will only require the hardware token), you will need an Android device with NFC* and the TOKEN2 NFC Burner app* (make sure you have the latest version, at least 2.1). This can be the same device for several users (the smartphone of a UserLock administrator for example).
[* Windows version is also available, but this guide will use Android as an example.]
To enable two-factor authentication:
Have your Android device with NFC and TOKEN2 NFC Burner 2 app installed and your hardware token ready.
Once MFA is enabled for a user account, at their next connection, a dialog box with a QR code will be displayed. Rather than downloading an authenticator application, the user must do the following.
Launch the NFC burner app on your Android device and hit the "QR" button.
Point the camera to the QR code shown on the DIALOG box. Upon a successful QR scan, the camera window should disappear.
Alternatively, you can manually enter the code shown on the same page ("Manual Entry Key:") by hitting the "Base32" button on the app under the QR button.
Turn on the TOKEN2 token and place it on your phone, making sure it is over the NFC antenna. Then click "Connect" on the app.
If the phone's NFC antenna does not completely align with the token, the connection will fail. Try moving the phone or token until you successfully connect the devices. Also make sure the NFC is enabled on the phone, and that the token is turned on. Click here for more information on the NFC link stability issues with Token 2 programmable tokens.
Upon successful connection, click the "Burn seed" button. If NFC link is established and the code is correctly scanned, you should see a status window showing "Burning..." and eventually (in a second or two), "burn seed successful.." message in the log window.
After completing the burning process, turn the token display off and turn it on again.
Enter the 6 digits code displayed by the token in the field in the dialog box, then click “Verify and continue“.
Thereafter, the user will be able to retrieve the code requested, from the Token2 programmable token itself.
Onboarding for End Users – with YubiKey (HOTP programmable token)
YubiKey are programmable tokens, powered by Yubico, which can be configured to use HMAC-based One-time Passwords (HOTP) for multi-factor authentication.
HOTP is an alternative to Time-based One-time Passwords (TOTP). Note that the most used TOTP solutions are authentication applications (for example Google Authenticator) or programmable tokens (for example, Token2).
UserLock configures YubiKey in an efficient manner uniquely on the server side thus avoiding any client based configuration.
To authenticate with YubiKey, users simply tap their security key. This touch activated YubiKey automatically enters a pre-determined authentication code; thus avoiding the possibility of the end user entering an invalid code.
Since end users may already use YubiKey for other purposes (web authentication, personal use, etc.) adding MFA functionality requires the configuration of an available slot for the device.
Pressing the device with a short touch, or a longer touch of 3 seconds, will determine which of the two programmable slots will be activated. In such cases, the user is already familiar with the operational features of the YubiKey device.
For more details and references on YubiKey, see the “About YubiKey” section at the end of this document.
Users require a YubiKey programmable token with FIDO Universal 2nd Factor (U2F) support such as YubiKey 5 NFC or Security Keys by Yubico. This device must be inserted into a USB port of their computer during the connection.
To enroll in MFA with YubiKey, users will have to connect directly (and not via RDP) to a computer for the Desktop UserLock agent to detect the YubiKey. Subsequent connections will allow RDP connections with the YubiKey plugged into the USB port of the client computer.
To enable two-factor authentication with UserLock and YubiKey
Once MFA is activated for a user account (configure the MFA frequency you need), this user may need help logging in for the first time with UserLock and YubiKey:
The user plugs the YubiKey into the USB port of their computer (do not connect via RDP for this first connection as explained in the "Requirements" section).
The user logs in.
The UserLock desktop agent automatically detects that a YubiKey is connected and therefore asks the user if it is the preferred method to configure multi-factor authentication (otherwise the TOTP dialog box will be displayed):
If the user chooses "Yes", a dialog box appears, showing the available YubiKey slot. Choose the slot, then click "Link Yubikey":
Next, the Desktop UserLock agent programs the YubiKey using the MFA secret (without displaying it), then updates the Link YubiKey button to confirm that the operation succeeded:
The cursor appears in the edit box of the authentication code and the user can touch the YubiKey depending on the selected slot: Generally, a short touch will activate Slot 1 or a long touch will activate Slot 2.
As a result, the edit box will display the associated 6-digit code and automatically close the dialog box indicating that the verification operation succeeded.
Subsequent connections for two-factor authentication with UserLock and YubiKey
Following the initial connection in which the YubiKey configuration is included, subsequent connections where MFA is requested will occur as follows:
The user plugs the YubiKey into a USB port of their computer (the client computer if they are using RDP).
The user logs in.
The UserLock desktop agent requests the authentication code:
The user touches the YubiKey button depending on the slot chosen: Generally, a short touch will activate Slot 1 or a long touch will activate Slot 2.
The edit box will display the associated 6-digit code. In order to logon, The user clicks "Verify and continue".
YubiKey and RDP
As explained in the “Requirements” section, remember that to enroll with MFA and YubiKey, users will have to connect directly (and not via RDP) to a computer (the subsequent connections will allow RDP connections with the YubiKey plugged into the USB port of the client computer).
Use case: What to do if YubiKey is lost, forgotten...
The optional Ask for help UserLock MFA feature (disabled by default) is designed to alert UserLock administrators in such cases: actions include resetting the MFA key, temporarily disabling MFA, assistance activating the Yubikey...
Use case: What to do if I used TOTP before and now I use HOTP YubiKey?
For such users, reset the MFA key, then configure YubiKey as explained in the section "To enable two-factor authentication with UserLock and YubiKey".
TOTP and / or HOTP
The choice between TOTP and HOTP depends on several arguments. For example, HOTP is a preferred choice if the UserLock server is installed on a virtual machine on which the clock is not synchronized as often as TOTP MFA requires. (If your VM is installed as part of a Hyper-V platform there is also a risk of time synchronization issues).
Configuration of YubiKey is not possible with an RDP session
Unable to configure YubiKey with an RDP session, a physical connection to a computer is required.
Use with virtual machines may be limited
It is possible to mount YubiKey in Virtual Box Virtual Machines: using YubiKey on such machines is possible for both configuration and authentication. However, there are issues when trying to configure them with Hyper-V virtual machines, although authentication is possible.
YubiKey are programmable tokens powered by Yubico. A video presenting YubiKey is available on https://www.yubico.com/.
Getting started with your YubiKey
The YubiKey supports multiple protocols and offers expanded authentication options such as passwordless, strong two-factor authentication (2FA) and strong multi-factor authentication (MFA), and also enables encryption. It also supports Windows/Mac computer logon.
Enable MFA gradually for users, groups or OU’s:
You can select users, groups, or organizational units for which you want to enable MFA. We recommend that you choose an implementation plan that allows for gradual user onboarding.
For example, enable MFA for an Active Directory group “HR”:
When enabling MFA for new users, consider informing them about how they will be impacted. (see the Onboarding for End Users specific section).
Why are there no Multi-Factor Authentication recovery codes?
Generally, Multi-Factor Authentication recovery codes are used on SaaS applications, administered by web services, and for which an end user cannot contact an administrator on premise.
In UserLock MFA, authentication is monitored by on premise administrators who can be present to answer to help desk calls about authentication.
Unlock / Reconnect Advanced Setting
By default, all UserLock restrictions (Including MFA) are applied to logon, unlock and reconnection events. If you do not want MFA to be requested for users unlocking or reconnecting to a session, go to the advanced settings by pressing F7 in the UserLock console, and change the setting "ApplyRestrictionsonUnlock" to False. This setting will apply to all UserLock restrictions.
MFA successful feature
If the MFA code is correctly entered but another UserLock restriction refuses a connection, we cannot see the event that an MFA code has been correctly entered in the UserLock MFA reports (we can only see this only in the logs of the UserLock service).
MFA feature on Backup UserLock server
There is no MFA dashboard on Backup UserLock servers.
MFA on the web UserLock console
It is not possible to administer UserLock MFA via the UserLock web console.